News

All The Latest CyberNews..

Cybersecurity news stories that we found interesting and/or thought-provoking.

CyberNews – Biggest Incidents of 2017

Let this recap of 2017’s biggest cyber-incidents so far serve as a reminder of just how chaotic things have already gotten.

Equifax

Equifax, one of the three major credit reporting agencies, handles the data of 820 million consumers and more than 91 million businesses worldwide. Between May and July of this year 143 million people in the U.S. may have had their names, Social Security numbers, birth dates, addresses and even driver’s license numbers accessed. In addition, the hack compromised 209,000 people’s credit card numbers and personal dispute details for another 182,000 people. What bad actors could do with that information is daunting.

This data breach is more confusing than others — like when Yahoo or Target were hacked, for example — according to Joel Winston, a former deputy attorney general for New Jersey , whose current law practice focuses on consumer rights litigation, information privacy, and data protection law.

While other companies have scrambled to retain loyalty after consumer data has been compromised, the Equifax breach is different, says Winston, because we — the consumers — are not its customers.

“We are the product,” he says. “Us and our data is what Equifax is selling to other people and companies, and they are scrambling to keep their customers, without much regard for actual consumers.”

And while other breaches may have exposed credit card numbers or Social Security numbers, the information Equifax has — on almost all of us — is much more extensive, which makes us all feel very vulnerable.

Shadow BrokersThe mysterious hacking group known as the Shadow Brokers first surfaced in August 2016, claiming to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. The Shadow Brokers offered a sample of alleged stolen NSA data and attempted to auction off a bigger trove, following up with leaks for Halloween and Black Friday in 2016.This April, though, marked the group’s most impactful release yet. It included a trove of particularly significant alleged NSA tools, including a Windows exploit known as EternalBlue, which hackers have since used to infect targets in two high-profile ransomware attacks (see below).The identity of the Shadow Brokers is still unknown, but the group’s leaks have revived debates about the danger of using bugs in commercial products for intelligence-gathering. Agencies keep these flaws to themselves, instead of notifying the company that makes the software so the vendor can patch the vulnerabilities and protect its customers. If these tools get out, they potentially endanger billions of software users.

On May 12 a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.

Though powerful, the ransomware also had significant flaws, including a mechanism that security experts effectively used as a kill switch to render the malware inert and stem its spread. US officials later concluded with “moderate confidence” that the ransomware was a North Korean government project gone awry that had been intended to raise revenue while wreaking havoc. In total, WannaCry netted almost 52 bitcoins, or about $130,000—not much for such viral ransomware.

WannaCry’s reach came in part thanks to one of the leaked Shadow Brokers Windows vulnerabilities, EternalBlue. Microsoft had released the MS17-010 patch for the bug in March, but many institutions hadn’t applied it and were therefore vulnerable to WannaCry infection.

A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system.

Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country.

On March 7, WikiLeaks published a data trove containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools. Revelations included iOS and Android vulnerabilities, bugs in Windows, and the ability to turn some smart TVs into listening devices.

Wikileaks called the dump “Vault 7,” and the organization has followed the initial release with frequent, smaller disclosures. These revelations have detailed individual tools for things like using Wi-Fi signals to track a device’s location, and persistently surveilling Macs by controlling the fundamental layer of code that coordinates hardware and software.

WikiLeaks claims that Vault 7 reveals “the majority of [the CIA] hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.” It is unclear, though, what proportion of the CIA toolbox the disclosures actually represent. Assuming the tools are legitimate, experts agree that the leaks could cause major problems for the CIA, both in terms of how the agency is viewed by the public and in its operational abilities. And as with the Shadow Brokers releases, Vault 7 has led to heated debate about the problems and risks inherent in government development of digital spy tools.

In February, the internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data. Cloudflare offers performance and security services to about six million customer websites (including heavy hitters like Fitbit and OKCupid), so though the leaks were infrequent and only involved small snippets of data, they drew from an enormous pool of information.

Google vulnerability researcher Tavis Ormandy discovered the problem on February 17, and Cloudflare patched the bug within hours, but the data leakage could have started as early as September 22, 2016. Leaked data was only deposited on a small subset of Cloudflare customer sites, and usually it wasn’t visible on the pages themselves. Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

Cloudflare worked with search engines ahead of and after the announcement to remove the leaked data from caches, and experts noted that it was unlikely that hackers used the data malevolently; the random leaks would have been difficult to weaponize or monetize efficiently. But any exposed sensitive data creates risks. The incident was also significant as a reminder of how much rides on large internet infrastructure and optimization services like Cloudflare. Using one of these services makes sites much more robust and secure than they probably would be on average if owners attempted to build defenses themselves. The tradeoff, though, is a single point of failure. A bug or a damaging attack affecting a company like Cloudflare can impact, and potentially endanger, a significant portion of the web.

Unfortunately, it’s not uncommon to hear that a trove of voter data was breached or exposed somewhere in the world. But on June 19, researcher Chris Vickery announced a discovery that would give even the most jaded security expert pause. He had discovered a publicly accessible database that contained personal information for 198 million US voters—possibly every American voter going back more than 10 years.

The conservative data firm Deep Root Analytics hosted the database on an Amazon S3 server. The group had misconfigured it, though, such that some data on the server was protected, but more than a terabyte of voter information was publicly accessible to anyone on the web. Misconfiguration isn’t a malicious hack in itself, but it is a critical and all-too-common cybersecurity risk for both institutions and individuals. In this case, Deep Root Analytics said that the voter data, though publicly exposed, was not accessed by anyone besides Vickery—but it’s always possible that someone else discovered it, too. And though a lot of voter information is readily available anyway (names, addresses, etc.), Deep Root Analytics specializes in compiling revealing data, so being able to access so much pre-aggregated information would be a boon to a cyber criminal.

Two days before France’s presidential runoff in May, hackers dumped a 9GB trove of leaked emails from the party of left-leaning front-runner (now French president) Emmanuel Macron. The leak seemed orchestrated to give Macron minimal time and ability to respond, since French presidential candidates are barred from speaking publicly beginning two days before an election. But the Macron campaign did release statements confirming that the En Marche! party had been breached, while cautioning that not everything in the data dump was legitimate.

The attack was less strategic and explosive than the WikiLeaks releases of pilfered DNC emails that dogged Hillary Clinton’s presidential campaign in the US, but Macron also had the advantage of observing what had happened in the US and preparing for potential assaults. Researchers did find evidence that the Russian-government-linked hacker group Fancy Bear attempted to target the Macron campaign in March.

After the email leak heading into the election, the Macron campaign said in a statement, “Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy, as already seen in the United States’ last president campaign. We cannot tolerate that the vital interests of democracy are thus endangered.”

CyberNews – September 2017

The notorious hacking group that has been in operation since at least 2011 has re-emerged and is still interested in targeting the United States and European companies in the energy sector. Yes, I am talking about the ‘Dragonfly,’ a well-resourced, Read More …

Researchers claim a programming error in the Microsoft Windows kernel cracks the door open for malicious executables to bypass security software. The flaw, according to security firm EnSilo, has been present on previous versions of Windows dating back to Windows Read More …

European Union defence ministers tested their ability to respond to a potential attack by computer hackers in their first cyber war game on Thursday, based on a simulated attack on one of the bloc’s military missions abroad. In the simulation, Read More …

What if your smartphone starts making calls, sending text messages, and browsing malicious websites on the Internet itself without even asking you? This is no imaginations, as hackers can make this possible using your smartphone’s personal assistant like Siri or Read More …

Six exploitable flaws in chipsets used by Huawei, Qualcomm, MediaTek and NVIDIA were found in popular Android handsets, according to a report by University of California at Santa Barbara computer scientists. Each of the flaws exist in phones sold by Read More …

Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database. Researchers with security company Kromtech said freelancers who handled web applications Read More …

Prominent cybersecurity firm Kaspersky Lab poses a danger to U.S. security, warns Sen. Jeanne Shaheen, D-N.H., who is pushing to prohibit the federal government from using the Moscow-based company’s products. In a New York Times column, Shaheen alleges that the company Read More …

Thousands of resumes and job applications containing the personal information of U.S. veterans, many with top secret clearances, and law enforcement officers were left exposed in an Amazon Web Services S3 bucket, continuing a trend where poorly configured cloud-storage services Read More …

New analysis shows cyber-breach has large impact on stock price: When it comes to thinking about cyber-attacks, many of the folks running businesses are relying on a heavy combination of faith (“it won’t happen to us”), reliance on cyber-insurance (“any losses will be covered”), and the unfounded belief that the long-term consequences won’t be that bad (“if it does happen, we’ll be back in business in no time”). ITSP Magazine, August 7, 2017

Cyber Security in Society

HBO Cyber Attack

Game of Thrones stars’ personal details leaked as HBO hackers demand ransom: Hackers of US television network HBO have released personal phone numbers of Game of Thrones actors, emails and scripts in the latest dump of data stolen from the company, and are demanding a multimillion-dollar ransom to prevent the release of whole TV shows and further emails. The Guardian, August 8, 2017

Know Your Enemy

Russia’s ‘Fancy Bear’ Hackers Used Leaked NSA Tool to Target Hotel Guests: Since as early as last fall, the Russian hacker group known as APT28, or Fancy Bear, has targeted victims via their connections to hacked hotel Wi-Fi networks, according to a new report from security firm FireEye, which has closely tracked the group’s intrusions, including its breach of the Democratic National Committee ahead of last year’s election. Wired, August 11, 2017

Cyber Sunshine

Alleged sextortionist caught after FBI plants malware on video of victim: A Bakersfield, Calif. man who allegedly tried to extort pornographic video footage from underage victims was tracked down and apprehended after investigators secretly hid malware on a digital video file sent from the intended victim’s computer, according to a criminal complaint filed in Indiana. SC Media, August 10, 2017

Alleged vDOS Operators Arrested, Charged — Krebs on Security: Two young Israeli men alleged by this author to have co-founded vDOS — until recently the largest and most profitable cyber attack-for-hire service online — were arrested and formally indicted this week in Israel on conspiracy and hacking charges. KrebsOnSecurity, August 09, 2017

PIHRA: Information Security Awareness: The Cyber Tsunami!:Citadel’s Kimberly Pease will facilitate a discussion of (i) steps to take to protect a company’s information from hackers and cyber criminals; (ii)tips to protect yourselves as consumers; (iii) understanding who the criminals are and why you are a target; (iv) real stories and scary examples that could happen to you. September 20, 7:30 – 9:30, The City Club

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Founding, building, and nurturing a Cybersecurity Science for everyone. We are a one-stop-shop for learning from—and contributing to—the latest findings and new scientific thinking emerging from the computer security community.

We extend a warm welcome to you, and an open invitation to get involved; no matter what your expertise level; and do contribute ideas, thoughts and experiences for the benefit of all.

SCIENCE OF CYBERSECURITY FRAMEWORK

In order to establish a logically coherent statement of basic theory, and to enable orderly progression of the same; we hereby define the Science Of Cybersecurity Framework (SCF).

Whereby, the SCF comprises all of the fundamental Cybersecurity axioms, principles, concepts, events and processes etc. The upshot is a complete characterisation of the entire subject matter of Information Security.

The purpose of the SCF is not to list, in an exhaustive fashion, every possible instance of a Cybersecurity failure/vulnerability and/or protective measure; but rather to define all of the logical elements that could possibly comprise the same. In other words, the SCF seeks to identify all of the universals of Cybersecurity, in the belief that any particulars will naturally follow.

WE NEED YOU!

Obviously development of a new science—is not the job of one person alone; but rather science can only arise, evolve and progress through consensus; and by the power of multiple brains.

Consequently, we invite members of the Cybersecurity community to get involved and contribute to this effort.

The Science of Cybersecurity – by Alan Radley (2017). Free digital edition is here, and the printed edition is on Amazon here.

Sample Reviews

Excellent read! Succinct and accurate on a subject that normally wanders into tangential discussions confusing and diffusing the goal… Radley breaks down today’s hottest topic in a way that provides reference to students as well as guidance to the more learned… I found it spot on and a fine addition to the body of work on cyber-security but specifically to the discussion of privacy within communications… I see this as a reference document for students studying cyber security as well as an excellent read for CTOs, CSOs, CISOs, and CEOs laboring over how to analyze their needs for increased security… allows you to hit the highlights or dive deeper into the subject with your many charts, diagrams, and glossary of terms.

Will no doubt be recognized as one of the seminal works on security, establishing definitions and clarity where others have dealt with assumptions… it is not very often that one is exposed to a work that is truly ground breaking in a field, but this is one of those works. Rather than expounding on the implementation of security as many do, Dr. Alan Radley astutely asks (and then suggests an answer for) the rather naive, yet deceptively complex question “What is security?”, or more precisely “How does one characterize a communication system for secure data transfer?” As Dr. Radley examines this question, the reader becomes aware that the answer is much more elusive than one first assumes.

As Dr. Radley builds a working compendium of definitions needed to examine the issue, the reader becomes more and more aware that the current vernacular is insufficient for discussing secure communication at a philosophical level, and if we cannot agree on what it means to be secure or private in thought, how can we accomplish it in act? It is here, laying the foundation of formal definition of socially secure communication, that Dr. Radley’s work is groundbreaking and will no doubt be referenced by many works to come.

As cyber education evolves to meet the pace of change in our digital world so does the need for good reference books.. a timely and spot on publication that I shall be recommending to my students; well done Dr Radley.

Professor Richard Benham – National Cyber Skills Centre, UK.

An excellent read and would definitely recommend this to our AISA members as a way to get a different perspective on security.

In a world full of privacy breaches, Radley timely develops a framework that delves into complexity of technical and human-centric factors that affect our perception of privacy and cybersecurity. I recommend this book to everyone who is interested in making our cyber world more secure.

Vitali Kremez (6/2/2016) – CyberCrime Investigative Analyst.

The book provides the reader with an accurate and objective view of the life-cycle of the exposures and vulnerabilities which are associated with the technological shadow cast over all individuals, and organisations. This is a unique piece of work… an excellent read, and deserves a place on every security professional’s bookshelf who is seeking a balanced and objective view of the current, and futuristic Cyber Security Landscape.

Professor John Walker – Nottingham Trent University.

Alan Radley makes sense of the complexities which ordinarily restrict this topic to IT people only… required reading for anyone focused on secure and private communication… What’s more, Alan’s no-nonsense approach and fearless honesty, is refreshing. I recommend this to those interested in making certain that their communication is more private, secure and resilient.

Bill Montgomery – CEO – Connect In Private.

A brilliant book! Did it make me wiser? Yes…

Pantazis Kourtis – Member of the Board of Directors at London Chapter at ISACA.

I commend this book to a wide readership. Well done Sir, more please.

Tony Collings OBE -Chairman – The ECA Group.

A very concise body of work, that belies its length for the practical application of useful data in a highly complex area… should be required reading for anyone providing third party services whereby their security claims cannot be held up without transparency. Ignore this work at your peril.

Christian Rogan – Vice President, Royal Holloway Enterprise Centre.

I highly recommend this book for individuals interested in understanding the challenges facing the security and information assurance specialist. Dr. Radley’s direct approach provides an excellent read and can enable valuable insights into an extremely complex topic such as security.

What Kind Of A Science Is Cybersecurity?

Cybersecurity is impossible to develop as a logical subject of study—without first establishing an observational science that identifies what we are dealing with in the first place.

Ergo, we become able to know what kinds of phenomena to look for, measure, model and control. Thus we define a set of Absolute Security metrics—and accordingly fully prescribe the various classes/types of Cybersecurity vulnerabilities—plus evolve truly effective countermeasures… >>

Avoid Hacking And data-Breaches With KeyMail

‘Cloud’ copies are highly vulnerable to hacking; largely because they will be around for a very long time—possibly forever—and as a result may be subject to innumerable future hacking attacks.

For Absolute Security in interpersonal communications, the KeyMail file-transfer protocol eliminates ‘cloud’ copies altogether; whereby client data transfers directly between devices. We call this Single-Copy-Send—and the upshot is that there are no vulnerable ‘third-party’ copies to attack, and hence no hacking risks… >>